Tweaking Optimizing Windows.pdf - GEGeek

More documents

Recommendations

Info

There are three basic types of exploits that are used on TCP ports. The first is when someone sends many, many packets to your machine so that it freezes or blue screens under the electronic onslaught. This is a form of a denial of service (DoS) attack. The second is where they send a specially crafted packet that "overloads" the port, allowing them to either execute code or cause the service/OS to crash. This is called a buffer overrun. The last is when you haven't properly secured your services, and they can connect to your mail server, and then send commands to the OS under the credentials of the mail service. For the most part the last is not something you need to worry about on a Windows 2000 workstation. These products can be configured to let you know about all such noteworthy events, and they will make your home machine a lot safer from the malicious e-rabble in the process. 14. List connections to your machine Type 'netstat -a' in a command prompt will tell you who if anyone is connected to your computer. 15. Test your network Now that your network is set up and hopefully locked down, you can test it at a number of sites to see if you got the basics. Please note that these do NOT mean that your workstation is secure, and do NOT assume that because you pass this no one can break into your workstation. These are just tools letting you know that some of the most obvious exploits. Here are the sites. http://grc.com/intro.htm www.dslreports.com/r3/dsl/secureme www.antionline.com/ 16. Use NTFS NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your server are formatted using NTFS. If necessary, use the convert utility to non-destructively convert your FAT partitions to NTFS. Warning If you use the convert utility, it will set the ACLs for the converted drive to Everyone: Full Control. Use the fixacls.exe utility from the Windows NT Server Resource Kit to reset them to more reasonable values. Also no dual booting. 17. Encryption If you are using the NTFS file system you can encrypt files or folders so that they cannot be opened by other users. Open Windows Explorer, and then browse to the file or folder to be encrypted. Right-click on the file/folder and click 'Properties'. On the 'General' tab, click 'Advanced'. Select the 'Encrypt contents to secure data' check box. Encrypting a folder automatically encrypts all its subfolders and files. The encryption of a file or folder is transparent to the person who encrypts it; that person can work with the file without restriction. Encryption protects against others opening that file or folder. Never leave sensitive material on your computer e.g. credit card numbers etc unless it is properly encrypted. Use PGP software (Pretty Good Privacy, from Network Associates), to make an encrypted virtual drive. No one will be able to access the contents of the PGP drive unless the proper password is entered. To be really, really safe encrypt the contents of the items you put into the PGP drive once again. Never use the same password that you use for anything else for PGP. 95, 98 and NT passwords are very easy to crack. Make sure that your passphrase for PGP is over 25 characters long and contain non asci characters (see next tip). When making a new key make the new key 4096 bit and make sure that you use 256bit for the PGP Disc. Overkill I know but as computers are getting faster and faster everyday the cracking of highly encrypted files comes that one bit closer. 18. Use strong passwords Windows 2000 allows passwords of up to 127 characters. In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and nonprinting ASCII characters generated by using the ALT key and three-digit key codes on the numeric keypad - see further below for complete list of non ASCII characters) are stronger than alphabetic or alphanumeric-only passwords. For maximum protection, make sure the Administrator account password is at least nine characters long and that it includes at least one punctuation mark or nonprinting ASCII character in the first seven characters. In addition, the Administrator account password should not be synchronized across multiple servers. Different passwords should be used on each server to raise the level of security in the workgroup or domain. Also try to avoid words that are used in the English dictionary. Its common sense but never write your password down, never type your password in when someone is near by and never use passwords that have something in common with yourself e.g. if someone liked Harleys they may have Harley Davidson as the passphrase ! There's a lot of discussion on how complex/long you should make your password. One common misconception about hacking an account is that it is frequently done through brute force attacks. This is where a remote machine tries to log into your local one over and over, trying a different password each time. Don't worry too much about this because there are only two accounts that everyone has on their Windows 2000 workstation, Administrator (which you have renamed) and Guest (which you have disabled). There is one big if. IF someone has access to the physical medium you are using to connect to another computer (i.e. they are on the same Ethernet segment or sharing someplace else further down the line), they can attempt to sniff the packets off the wire. Since computers use electricity to send information over a network (ok, some use light, but really, how many of you have fiber to your desktop?), every computer on a network segment gets every packet passed on that segment (Unless you are switched to the desktop). Usually network cards ignore information not intended for them, but people of a mischievous bent can install programs that let them pick up and save information that is intended for other people's computers. If you are using Telnet, FTP or clear text SMB connections (Some older network programs use this, SAMBA for instance), your passwords are there for the taking. It's that simple, they just run the program and read it. Even worse, Windows 9X and NT (preservice pack 4) defaults to using the LAN Manager hash to encrypt passwords. This was a decently secure way to do it back in the day, but with today's powerful processors, programs like L0phtCrack can sniff and decode your NT/9X authentication session-in real time. This is not a good thing. Fortunately for the security conscious Windows user, Microsoft has made NTLMv2 the standard method of encryption for authentication for NT after SP4 and 2000 from the start. The gotcha is that if you are in communication with a machine that only supports an older version, Windows 2000 will communicate in a way the older machine understands, meaning a less secure method. The Windows 2000 CD has an update for Win9X that allows 9x to use NTLMv2. It is found at Clients\Win9x\Dsclient.exe. Remember, if your password is easy to guess, it doesn't matter how well encrypted it is, so use something unusual. Your phone number from your childhood home, your aunt's last name, or anything else that is:
- Not found in a dictionary - Not directly related to you (don't use your name, address or the word "password", please), - Mix the password with numbers and non asci characters if possible e.g. 43934!!!^BLAH&*"£$ - Don't use a blank one - I mean it, don't use a blank one. If you are sharing your machine with others, you should make sure that all the users use different ID's and passwords. You don't want your roommate to delete your term paper or be able to read your email. Windows 2000 has greatly improved on the Profiles that NT 4 used to keep your files separate from other user's. This will work if: - You don't let everyone have Administrative rights to your workstation (or they can just take ownership of the file and assign any rights they like, although this should leave an auditing trail) - You are all logging in as separate users. Make everyone an ID and make sure they use it. It can be easy to guess the password of someone you know, so you should consider requiring complex passwords. These are a lot harder to guess, because they have to be 6 characters long and have a mix of characters in them. This also prevents the user from using their username as the password. To enable this: - Open up MMC. - Add the Group Policy Snap-in, selecting local computer - Go to Windows settings > Security Settings > Account Policy - Change "Passwords must meet complexity requirements" to Enabled - Set the minimum password length to at least 8 characters - Set a minimum password age appropriate to your network (typically between 1 and 7 days) (this is for the truly paranoid, because it comes into play when a user is forced to change password, and changes it 5 times in a row so they can get it back to what it was originally. Not a problem really. - Set a maximum password age appropriate to your network (typically no more than 42 days) - Set a password history maintenance (using the "Remember passwords" option) of at least 6 How strong is your password ? If someone runs a password cracker, and if it starts at the good length, how much computations he could expect to do. This is very simple. First count how much different characters you use. If you use only letters, that is 26, if you use lowcase and upcase letters, it is 52 (26 + 26), if you use only figures it is 10, etc. Let's call this number p. Then count how long your password is. We shall call that number l To know how much possibilities there are, compute p ^ l. Be your password yh66p14kk. You used lowcase letters and figures, that makes 36 different characters (26 + 10). The password is 9 letters long. So there are more than 100,000,000,000,000 possibilities. (36 ^ 9 is about 1.016*10^14) It is an excellent password. A thing you should be aware of, is that some systems does not account the case of your password. If that is the case, abc, ABC and aBc are the same password and you can only consider 26 different characters instead of 52. I advise you to use figures an some sings like ( or /. You can generate secure passwords by using a good password generator at www.winguides.com/security/password.php Also use Jeremy Allison's PWAudit program to monitor the keys that PWDump accesses. This way you can logs attempts at grabbing the password. Non ASCII characters - use them in your password ! Alt - 0 = NUL Alt - 1 = ? Alt - 2 = ? Alt - 3 = ? Alt - 4 = ? Alt - 5 = ? Alt - 6 = ? Alt - 7 = • Alt - 8 = ? Alt - 9 = ? Alt - 10 = ? Alt - 11 = ? Alt - 12 = ? Alt - 13 = ? Alt - 14 = ? Alt - 15 = ¤ Alt - 16 = ? Alt - 17 = ? Alt - 18 = ? Alt - 19 = ? Alt - 20 = Alt - 21 = § Alt - 22 = ? Alt - 23 = ? Alt - 24 = ? Alt - 25 = ? Alt - 26 = ? Alt - 27 = ? Alt - 28 = ? Alt - 29 = ? Alt - 30 = ?
Page 1 and 2:
Mr.X.'s TWEAKING AND OPTIMIZING WIN
Page 3 and 4:
-Msdownld.tmp This one needs manual
Page 5 and 6:
If you have Windows 95/NT you can e
Page 7 and 8:
BootKeys=1 BootMenu=0 BootMenuDefau
Page 9 and 10:
Settings\Cache\History] "CachePath"
Page 11 and 12:
Similarly, open Internet Explorer,
Page 13 and 14:
g - Restart your computer once step
Page 15 and 16:
38. Keep IE crash free Here's a tip
Page 17 and 18:
44. Switch off Dos memory manager D
Page 19 and 20: Data: D:\WIN95 58. Clear Recent Doc
Page 21 and 22: Click on the property tab for this
Page 23 and 24: Right-click in the right hand pane
Page 25 and 26: By the use of this client software,
Page 27 and 28: 8. Want Real mode DOS back in Windo
Page 29 and 30: Recommendation: This service will f
Page 31 and 32: detect and/or recognize your hardwa
Page 33 and 34: It should almost certainly benefit
Page 35 and 36: Click start. click settings. click
Page 37 and 38: Click Analyze, click ok, click Acti
Page 39 and 40: Nonbrowser. A nonbrowser is configu
Page 41 and 42: Private IP Addressing (APIPA) for p
Page 43 and 44: provides protected storage for sens
Page 45 and 46: If the service is turned off, RIS i
Page 47 and 48: enables NetBIOS name resolution. Pr
Page 49 and 50: 11. Adaptive Menus Microsoft Office
Page 51 and 52: 3. Speed up Internet Explorer 6 Fav
Page 53 and 54: Note that in doing this, you are co
Page 55 and 56: claimed for a ‘fixed’ page file
Page 57 and 58: When a NTFS drive is formatted it b
Page 59 and 60: Goto above key in registry and you
Page 61 and 62: To get Admin account on the "Welcom
Page 63 and 64: • Security is not opening attachm
Page 65 and 66: is not acceptable, and that anythin
Page 67 and 68: [-HKEY_LOCAL_MACHINE\System\Current
Page 69: exists on your NT machine (this key
Page 73 and 74: Alt - 119 = w Alt - 120 = x Alt - 1
Page 75 and 76: Alt - 0166 = ¦ Alt - 0167 = § Alt
Page 77 and 78: 11. Remove the default administrato
Page 79 and 80: These logs can contain sensitive da
Page 81 and 82: Right-click in the right hand pane,
Page 83 and 84: 57. Temporarily Assign Yourself Adm
Page 85 and 86: Install the appropriate post-Servic
Page 87 and 88: Windows XP Home Edition Configurati
Page 89 and 90: Caution If your computer is not in
Page 91 and 92: C:\inetpub\ftproot (FTP server) C:\
Page 93 and 94: MBR Work - www.terabyteunlimited.co
Page 95 and 96: Extreme Tech www.extremetech.com Fi
Page 97 and 98: IconFactory.com www.iconfactory.com
Page 99 and 100: Cable Modem Tips http://homepage.nt
Page 101 and 102: _Google _Google Image Search _Googl
Page 103 and 104: Boot other device This feature dete
Page 105 and 106: feature is a little different from
Page 107 and 108: ypass the compensation circuit and
Page 109 and 110: Therefore, using the latest video B
Page 111 and 112: So, for optimal performance, you sh
Page 113 and 114: second clock cycle before sending t
Page 115 and 116: SDRam RAS precharge time This featu
Page 117 and 118: The shorter the delay, the earlier
Page 119 and 120: CPU level 1 cache The modern proces
Page 121 and 122:
MPS 1.1 was the original specificat
Page 123 and 124:
Please note that even if you don't
Page 125 and 126:
Advanced Settings tab of the associ
Page 127 and 128:
However, this is not a surefire way
Page 129 and 130:
This feature allows you to manually
Page 131 and 132:
doubling the bandwidth of the proce
Page 133 and 134:
When this feature is enabled, the s
Page 135 and 136:
VLink 8X support V-Link refers to V
Page 137 and 138:
You will notice that the interrupts
Page 139 and 140:
AMD OVERCLOCKING - changing the mul
Page 141 and 142:
Examples of terminology used You wi
Page 143 and 144:
are much easier to use. No matter w
Page 145 and 146:
Hard drive limitations Overclocking
Page 147 and 148:
5.0x 500Mhz 560Mhz 620Mhz 665Mhz 5.
Page 149 and 150:
If you see copper, you've gone too
Page 151 and 152:
"PC" specification that SDRAM uses
Page 153 and 154:
Benchmarks allow you to measure you
show all

Tweaking Optimizing Windows.pdf - GEGeek

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?